Proxy Servers

Introduction

• 1. Acts as an intermediary between a private network and the internet – both client and remote host think they are communicating directly, when in fact it all goes through the proxy

• 2. Works as a Disk Cache for faster retrieval of frequently requested information

Firewall vs. Proxy Server

• Firewalls work at the Network layer and can block untrusted traffic

• Proxies work at the Application layer – and often map internal network addresses to single IP (NAT). This makes it difficult for outsiders to access internal IPs

• Can also be application specific: http – proxy, ftp-proxy, etc

Circuit-level Proxy

• Works between Application and Transport layer

• Establishes a a virtual circuit between clients and untrusted hosts

• Lets software work as if it had a direct internet connection instead of forcing individual setup of each application

Caching

• Works much like web browser caching, but for multiple users

• Significantly speeds up information retrieval (duh!) and takes load off of actual servers

• Read-ahead caching

• Last-modified multiplier

• Reverse caching

Security Features

• NAT/NPAT

• Packet Sequencing

• Packet Filtering

Modern Proxy

• Usually implemented inside of software suite as opposed to as a stand-alone product

Risks

• Initial configuration – remember access controls

• No access controls leaves the possibility for portscans.

• Worst case – allows for reverse connections

• No need to portscan, however, a google search can find Open Proxies

Proxy Abuse

• Open Proxy

• Simple method (from 2002): telnet to proxy, enter GET http://www.yahoo.com/ HTTP/1.0 – if page is returned, the proxy is ripe for abuse

• Anonymity value – how much does the HTTP header reveal about you?

Examples

• [Wed Aug 21 09:00:46 2002] 80.178.71.x: HEAD http://www.israela.com/sr/0838ap10_thumb.jpmela HTTP/1.0 [Wed Aug 21 09:01:57 2002] 80.178.71.x: HEAD http://www.israela.com/keyz HTTP/1.0 [Wed Aug 21 09:02:59 2002] 80.178.71.x: HEAD http://www.israela.com/private/htpass HTTP/1.0 [Attacker trying to find vulnerable CGI scripts on a porn site]

More Examples

• [Thu Aug 22 10:11:20 2002] 212.0.201.x: GET http://www.helllabs.com.ua/cgi-bin/textenv.pl HTTP/1.0 [Someone testing anonymity of the proxy]

• [Thu Aug 22 11:47:07 2002] 195.190.97.x: CONNECT http://login.icq.com:443/ HTTP/1.0 [Someone trying to hide their IP address on ICQ. Possible IM spammer]

The End?